Opinions are like a%$*oles, everyone has them and they're usually full of &amp;*it! Argue with our Opinion writers or add your own. Who knows... a great opinion post could land you a featured opinion article!

In your experience how receptive have your organizations/targets been to conducting pentests?

Outside of compliance drivers, it obviously depends on the organization. Progressive or information technology centric companies I think see more value and thus are receptive. I am currently working with a client that is as such but their main drivers are their client requirements since they are a private company. I have seen lots of other companies that see absolutely no value because IS Managers say their networks are secure.

Ironically, with all the high profile attacks lately (Lulzsec) as soon as the main stream media catches on - it will impact how organizations look at pentests. The main stream media will get these stories, screw them up, and scare people beyond belief. This is always a good thing for Information Security people. All of a sudden if this stuff hits the Wall Street Journal, executives begin to panic...regardless, if you've been telling them for years to get a pentest... Reactive IT, isn't that what we're all used to?

Have you seen value to the pentest?

Assuming the pen test company doesn't just deliver Nessus scan results and actually does a pen test, there is definitely value.

Unfortunately, the gap between modern technology controls and what the bad guys can do is huge. The thing in the middle of that gap are people. I think most of us would agree that the easiest way to get into a network is via social engineering. What usually will come out of a pentest is, "Hey, you need a security awareness program for your employees."

Personally I think the ROI model for security investments is flawed for a number of reasons. I've been meaning to write a paper on this topic for awhile. I'll followup on this topic when i have a bit more time to explain my thoughts, but ask yourself whether standard rules for ROI really apply for security investments. Then ask yourself if you really have sufficient data to answer that question.